Splunk Search

Field extraction

Path Finder

I want to create report for events whose field names haven't been extracted. I have SSH logs of the format "Accepted publickey for user XYZ" , "Accepted publickey for user ABC" and so on. I want to collect statistics for XYZ and other users. When I test an extraction, I get a javascript error on page which says invalid argument. Even if I save a field extraction, I'm not able to use it in my search. Can someone please tell me how to go about it?

Tags (1)
0 Karma
1 Solution

Motivator

I am not sure why you getting java script error maybe an issue with your browser...

There are several methods to extract fields:

First i usually use erex to see what regex will catch my field values:

... | erex user examples="XYZ, ABC" counterexamples="99/2"

Then it will give me a regex which i would use in rex command:

... | rex field=_raw "Accepted\spublickey\sfor\suser\s(?<user>.*[^\s]) "

Then I Use the Field extractions page in Manager.

Here you will find all the methods to extract fields : Fields and field extractions

View solution in original post

Motivator

I am not sure why you getting java script error maybe an issue with your browser...

There are several methods to extract fields:

First i usually use erex to see what regex will catch my field values:

... | erex user examples="XYZ, ABC" counterexamples="99/2"

Then it will give me a regex which i would use in rex command:

... | rex field=_raw "Accepted\spublickey\sfor\suser\s(?<user>.*[^\s]) "

Then I Use the Field extractions page in Manager.

Here you will find all the methods to extract fields : Fields and field extractions

View solution in original post

Path Finder

That worked perfectly! Thanks.

0 Karma